News items for tag hardware - Koos van den Hout

2022-09-25 Found a "Corinex CXWC-HD200-WNeH"? Let me know!
Officially the "Corinex CXWC-HD200-WNeH" cable modem is out of support for years and deployments should have migrated to newer solutions. That is the reason I got my hands on one: it was replaced by a docsis-based modem. For as far as I can tell these modems are based on homepna or homeplug, over coax networks (the tools on the router don't tell what kind of standards the coax side uses).

I'd like to know if any of these are still used in the wild. If you find this post because you got bored and looked at the underside of the wifi box in your holiday park, get in touch!

My e-mail address is at the bottom of this page and I'm on twitter as @khoos.

Tags: , ,
2022-09-22 Getting further into the Corinex CXWC-HD200-WNeH: I got root!
Corinex CXWC-HD200-WNeH side with warrantylabel
Corinex CXWC-HD200-WNeH side with warrantylabel. The warranty was voided.
Picture by Koos van den Hout, license CC-BY-SA
This week I was attending a course in hardware hacking: HackLab: Hardware Hacking at the Deloitte office in Den Haag.

How to find the right pins to get a commandline on a router-like device was part of this course, and the last day there was an option to Bring Your Own Device, to hack it. So I brought this router as I thought it was an ideal target to get access to it, since on the earlier try I could not get into the webinterface of the Corinex CXWC-HD200-WNeH device.

Corinex CXWC-HD200-WNeH opened boards visible
Corinex CXWC-HD200-WNeH opened boards visible
Picture by Koos van den Hout, license CC-BY-SA
So this time I took out the screwdriver, voided the warranty of the device by breaking the little sticker on the side and opening it. It has a board with the powersupply and cable interface parts. The powersupply is shielded with some plastic.

There is a smaller board with the main chip which contains the processor, ram, wifi module. The first task was to find the uart interface which should give a serial console. That's a skill I learned in the hacklab: first find out which pins have continuity to ground with the device switched off. With a simple multimeter which has a beeping continuity meter this is simple. The beep makes it possible to test the device without looking at the meter.

After that it's a matter of switching the multimeter to voltage and checking other pins for voltage. Usually there are 4 pins on a uart port: ground which is physically connected to the device ground, receive data and send data and a reference voltage. On measuring the pins the reference voltage will be at the steady maximum voltage, the data transmitting from the device will be varying and the pin where the device expects data will be at 0 volt.

Uart ports can be 5 volt, 3.3 volt, 2.5 volt or 1.8 volt in recent devices. 5 and 3.3 volt are the most common. USB serial interfaces that support 5 and 3.3 volt are cheap (3 euro), USB serial interfaces that support all 4 are somewhat more expensive (10 euro).

For the Corinex router the voltage is 3.3 Volt. There was a 3.3 Volt ftdi USB to serial interface available, so I was able to access the uart port. I connected to the uart port, used a terminal program and searched for the right serial port settings and ended up at 57600 baud, 8 bits, no parity, 1 stopbit.

After looking at all the boot messages I was greeted with a root prompt. No more hacking, just full access. The system boots using the U-Boot bootloader. The system runs linux with a 2.6.21 kernel. I looked around on the filesystem and started looking for the configuration for the webserver hoping to find the username/password. I found this in /flash/config so I could get into that interface as well.

I also found it was running a telnet server, but not on the standard port. The port was 32560. Without commands like netstat or ss I had to learn this from /proc/net/tcp. Browsing the iptables listing shows that port 80 is supposed to be allowed and other ports aren't, but 32560 reacts fine.

Chip found: Ralink RT3052F processor with embedded ram and flash and with 2.4 GHz wifi and a network switch for 1 gigabit port and 5 100 mbit ports.

Things I'd still like to do: copy the entire filesystem to another computer so I can research it and check around the web interface for security issues.
Read the rest of Getting further into the Corinex CXWC-HD200-WNeH: I got root!

Tags: , , ,
2022-09-17 Looking into the Corinex CXWC-HD200-WNeH
Corinex CXWC-HD200-WNeH underside
Corinex CXWC-HD200-WNeH underside
Picture by Koos van den Hout, license CC-BY-SA
I have a "Corinex Detachable Wireless-N Cable Access" Corinex CXWC-HD200-WNeH to play with. This has been used for Internet access over TV coax cable in a bungalow park where it has been replaced.

So it is some sort of cable modem. According to the source it's not managed network over cable (docsis) but more like ethernet over cable, a relative of ethernet over powerline. Searching a bit finds hempro | JPK consulting which seems to be the next generation and isn't compatible.

I also found Docsis, EOC of Moca toegepast in kleine kabeltelevisienetwerken which mentions that Corinex products are ethernet over cable according to the HomePNA (abbreviated HPNA) 3.1 standard.

The only mention of these devices are for Dutch bungalow parks or campsites, for example woon op een camping, open wifi. geen internet.

The site at corinex.nl just lists why you should stop relying on these devices and replace them with newer technologies that are supported.

It's not clear to me whether I can simply set up a network with a bit of coax and another HomePNA coax interface or whether I need some sort of headend.

Time to play with the device and see how far I can get!
Read the rest of Looking into the Corinex CXWC-HD200-WNeH

Tags: ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.37 2022/02/15 21:48:19 koos Exp $ in 0.026163 seconds.